The Trump administration is pushing hard for smartphone backdoors

The government wants to add a back door key for smartphone encryption, but doing so could be disastrous.

The encryption that secures your phone doesn’t come with a backup key. That may make you nervous if you’re prone to forgetting your passcodes — but it makes many law-enforcement and national-security types even more anxious when they contemplate permanently losing access to valuable evidence.

They use the phrase “going dark” to describe the spread of hardware and software that can only be unlocked by their owners — even if a court orders the companies behind those products to allow police access.

Privacy advocates, however, see “strong crypto” — without any extra keys or back doors — as vital when both commercial and government attackers may want into your devices and the immense stores of data on them.

Meanwhile, companies like Apple (AAPL) and Google (GOOG,GOOGL) increasingly treat strong encryption as a standard feature. As this debate escalates — and as many observers think the Trump administration may try to move a bill mandating what’s sometimes called “exceptional access” — they continue to ship encrypted devices and apps that can’t be whisked out of existence by any such bill.

A new twist on the Apple-FBI fight

The encryption argument got its most public airing two years ago, when the Federal Bureau of Investigation went to court to compel Apple to write special software to disable the lockout system on an iPhone 5c used by one of the San Bernardino shooters.

In March, however, the Justice Department’s Office of the Inspector General issued a report suggesting the FBI hadn’t tried too hard to get into that iPhone.

Thatreport found some FBI employees seemed more anxious to set a court precedent of requiring manufacturers to let in police than to get the San Bernardino shooter’s phone unlocked. It quotes the head of one FBI office voicing his disappointment that another had hired a contractor to hack the iPhone: “Why did you do that for?”

“What we saw was a breakdown of the FBI’s argument,” explained Robyn Greene, policy counsel and government affairs lead atNew America’s Open Technology Institute. “You can hack into every version of an iPhone; why do you need to back-door it?”

The biggest secret in phone unlocking in years: GrayKey

Two weeks ago,Vice’s Motherboard tech-news site revealed that one iPhone-unlocking tool — a device offered by Atlanta-based GrayShift calledGrayKey — was far more widely used than even the OIG report implied.

Details had surfaced about this apparatus in earlier reports byForbes and the security firmMalwareBytes, but reporter Joseph Cox found that numerous federal, state and local law-enforcement agencies regularly used GrayKey.

GrayKey works, MalwareBytes reported, by trying different passcodes until one works—somehow without invoking the self-defense feature that causes an iPhone to wipe its storage irreversibly after 10 incorrect tries.

GrayKey’s effectiveness and wide use surprised people on both sides of this issue, who are still trying to figure out how it works and how many other such tools might exist.

“It’s hard to know whether there are other undisclosed tools like it,” said Jamil Jaffer, head of George Mason University’sNational Security Institute and an advocate of preserving law-enforcement access to encryption.

Andrew Blaich, head of device intelligence at the mobile-security firmLookout, suggested that market forces alone ensure that more GrayKey-like tools will be built.

GrayShift has since provided its own unintentional warning of the risks of leaving back doors open: After a customer left some of its interface code exposed on the web,unknown hackers downloaded it and demanded a ransom of two Bitcoin. GrayShift doesn’t seem to have paid up.

Congress complicates this

The Trump administration has been more vocal about encryption than Obama’s. “I think the administration is increasingly getting spun up and looking for ways to address this problem,” Jaffer said. Last month, the New York Times reported that the White House was considering pushing for legislation mandating law-enforcement access to encrypted devices.

But so far, the administration has offered little detail about what an exceptional-access system might look like.

Cryptography experts pounced on issues with Ozzie’salready-patented plan. Matthew Green, a professor at Johns Hopkins University,wrote in a post that such a vault of private keys would be both massive — Apple alone would need to safeguard more than a billion—and a massive target for every government and criminal enterprise in the world.

It’s true that, asPresident Obama warned at the SXSW conference in March of 2016, some horrible crime might push lawmakers not just to act, but to mandate more access than could happen under concepts such as Ozzie’s.

But even then, nothing short of totalitarian controls on software distribution would stop people from using strong encryption in add-on apps like the open-source messaging appSignal. And in that scenario, criminals could benefit more from strong crypto than citizens who play by the rules and stick with the default settings.